Document header concerns

docs/docfx/README.md

@@ -12,8 +12,8 @@ The build will produce a series of HTML files in the `_site` directory. Many of
 
 ## Publishing the docs
 
-The docs are automatically built and published by a [GitHub Action](https://github.com/microsoft/reverse-proxy/blob/main/.github/workflows/docfx_build.yml) on every push to `release/docs`. The built `_site` directory is pushed to the `gh-pages` branch and served by [https://microsoft.github.io/reverse-proxy/](https://microsoft.github.io/reverse-proxy/). Maintaining a seperate branch for the released docs allows us to choose when to publish them and with what content, and without modifying the build scripts each release.
+The docs are automatically built and published by a [GitHub Action](https://github.com/microsoft/reverse-proxy/blob/main/.github/workflows/docfx_build.yml) on every push to `release/latest`. The built `_site` directory is pushed to the `gh-pages` branch and served by [https://microsoft.github.io/reverse-proxy/](https://microsoft.github.io/reverse-proxy/). Maintaining a seperate branch for the released docs allows us to choose when to publish them and with what content, and without modifying the build scripts each release.
 
-Doc edits for the current public release should go into that release's branch (e.g. `release/1.0.0-preview3`) and merged forward into `main` and `release/docs`.
+Doc edits for the current public release should go into that release's branch (e.g. `release/1.0.0-preview3`) and merged forward into `main` and `release/latest`.
 
-When publishing a new product version (e.g. `release/1.0.0-preview4`) `release/latest` should be reset to that position after the docs have been updated.
+When publishing a new product version (e.g. `release/1.0.0-preview4`) `release/latest` should be merged to that position after the docs have been updated.

docs/docfx/articles/header-guidelines.md

@@ -0,0 +1,67 @@
+---
+uid: header-guidelines
+title: Header Guidelines
+---
+
+# HTTP Headers
+
+Headers are a very important part of processing HTTP requests and each have their own semantics and considerations. Most headers are proxied by default, though some used to control how the request is delivered are automatically adjusted or removed by the proxy. Many headers contain information like domain names, paths, or other details that may be affected when a reverse proxy is included in the application architecture. Bellow is a collection of guidelines about how specific headers might be impacted and what to do about them.
+
+## YARP header filtering
+
+YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/v1.0.0-rc.1/src/ReverseProxy/Forwarder/RequestUtilities.cs#L62-L94), with some highlights described below.
+
+### Connection, KeepAlive, Close
+
+These headers control how the TCP connection is managed and are removed to avoid impacting the connection on the other side of the proxy.
+
+### Transfer-Encoding
+
+This header describes the format of the request or response body on the wire, e.g. 'chunked', and is removed because the format can vary between the internal and external connection. The incoming and outgoing HTTP stacks will add transport headers as needed.
+
+### TE
+
+Only the `TE: trailers` header value is allowed through the proxy since it's required for some gRPC implementations.
+
+### Upgrade
+
+This is used for protocols like WebSockets. It is removed by default and only added back for specifically supported protocols (WebSockets, SPDY).
+
+### Proxy-*
+
+These are headers used with proxies and are not considered appropriate to forward.
+
+### Alt-Svc
+
+This response header is used with HTTP/3 upgrades and only applies to the intimidate connection.
+
+### Trace-Parent, RequestId, Trace-State, Baggage, CorrelationContext
+
+These headers relate to distributed tracing. They are automatically removed on .NET 6 or later so that the forwarding HttpClient can replace them with updated values.
+
+## Other Header Guidelines
+
+### Host
+
+The Host header indicates which site on the server the request is intended for. This header is removed by default since the host name used publicly by the proxy is likely to differ from the one used by the service behind the proxy. This is configurable using the [RequestHeaderOriginalHost](transforms.md#requestheaderoriginalhost) transform.
+
+### X-Forwarded-*, Forwarded
+
+Because a separate connection is used to communicate with the destination, these request headers can be used forward information about the original connection like the IP, scheme, port, client certificate, etc.. This information is subject to spoofing attacks and so any existing headers on the request are removed and replaced by default. The destination app should be careful about how much trust it places in these values. See [transforms](transforms.md#defaults) for configuring these in the proxy. See the [ASP.NET docs](https://docs.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer) for configuring the destination app to read these headers.
+
+### Set-Cookie
+
+This response header may contain fields constraining the path, domain, scheme, etc. where the cookie should be used. Using a reverse proxy may change the effective domain, path, or scheme of a site from the public view. While it would be possible to [rewrite](https://github.com/microsoft/reverse-proxy/issues/1109) response cookies using custom transforms, it's recommended instead to use the Forwarded headers described above to flow the correct values to the destination app so it can generate the correct set-cookie headers.
+
+### Location
+
+This response header is used with redirects and may contain a scheme, domain, and path that differ from the public values due to the use of the proxy. While it would be possible to [rewrite](https://github.com/microsoft/reverse-proxy/discussions/466) the Location header using custom transforms, it's recommended instead to use the Forwarded headers described above to flow the correct values to the destination app so it can generate the correct Location headers. 
+
+### Server
+
+This response header indicates what server technology was used to generate the response (IIS, Kestrel, etc.). This header is proxied from the destination by default. Applications that want to remove it can use the [ResponseHeaderRemove](transforms.md#responseheaderremove) transform, in which case the proxy's default server header will be used. Suppressing the proxy default server header is server specific, such as for [Kestrel](https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.server.kestrel.core.kestrelserveroptions.addserverheader#Microsoft_AspNetCore_Server_Kestrel_Core_KestrelServerOptions_AddServerHeader).
+
+### X-Powered-By
+
+This response header indicates what web framework was used to generate the response (ASP.NET, etc.). ASP.NET Core does not generate this header but IIS can. This header is proxied from the destination by default. Applications that want to remove it can use the [ResponseHeaderRemove](transforms.md#responseheaderremove) transform.
+

docs/docfx/articles/toc.yml

@@ -10,6 +10,8 @@
   href: direct-forwarding.md
 - name: HTTP client configuration
   href: http-client-config.md
+- name: Header Guidelines
+  href: header-guidelines.md
 - name: Header Routing
   href: header-routing.md
 - name: Authentication and Authorization